Multi-event correlation of Registry creation under Active Setup with anomalous execution of processes at user logon. Behavioral patterns include creation/modification of HKLM Active Setup keys with non-standard StubPath values, followed by process execution from uncommon paths, unsigned binaries, or unusual parent-child lineage post-user login.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4672 |
| Process Creation (DC0032) | WinEventLog:Microsoft-Windows-Security-Auditing | EventCode=4688 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Windows Registry Key Creation (DC0056) | WinEventLog:Sysmon | EventCode=12 |
| Field | Description |
|---|---|
| TimeWindow | Correlate registry change and process execution within a specific user logon session (e.g., 5–10 minutes) |
| ParentProcessName | Expected parent processes for Active Setup launched binaries (e.g., explorer.exe). Deviations may indicate abuse. |
| StubPathValueEntropy | Degree of randomness/uncommonness in StubPath values. High entropy may indicate obfuscation. |
| SignedBinaryStatus | Flag if launched binary in StubPath is unsigned or uncommon for baseline |
| RegistryKeyOwner | Check which user/context added the Active Setup key to detect privilege abuse |